Adobe July patch roundup contains fixes for its ubiquitous and no cost PDF reader Acrobat 2020 and other computer software this sort of as Illustrator and Bridge.
Eleven critical bugs in Adobe’s well-liked and totally free PDF reader, Acrobat, open up both of those Window and macOS customers to attacks ranging from an adversary arbitrarily executing commands on a qualified process to information leakage tied to method-go through and memory flaws.
In a Tuesday security bulletin, which incorporated patches for all flaws, the corporation described that Windows and macOS versions of Acrobat were being equally susceptible. Adobe extra nevertheless that it was not informed of any abuse of the bugs in the wild.
The totally free Acrobat Reader 2020 and PDF-creation and modifying computer software Acrobat 2020 had been amid the checklist of those programs with critical bugs patched. Adobe also patched Acrobat DC, Acrobat DC Reader, Acrobat Reader 2017 and Acrobat 2017. In all, Adobe patched 20 Acrobat bugs, with 9 rated vital.
Two of the most severe Acrobat vulnerabilities are use-soon after-absolutely free flaws (CVE-2021-28641, CVE-2021-28639) that, in a worst situation situation, permit an adversary to execute code arbitrarily on qualified devices or just make software crashes.
One of the additional appealing critical bugs patched is a style of vulnerability known as an “uncontrolled research route element” flaw (CVE-2021-28636). The vulnerability course also goes by the names DLL preloading, insecure library loading and dependency confusion. It’s unclear how the weakness was launched to Adobe Acrobat. The security bulletin one-way links to a generic description of the flaw which states:
“The merchandise uses a mounted or managed look for path to uncover methods, but 1 or additional places in that route can be less than the management of unintended actors… In some scenarios, the attack can be conducted remotely, these kinds of as when SMB or WebDAV network shares are employed,” according to a MITRE description of the vulnerability style.
Adobe Illustrator and Bridge, Also Patched
Additional Adobe items were also portion of the vendor’s roundup of fixes, Bridge, Framemaker Dimension and Illustrator.
Four critical bugs in Adobe’s Bridge, a totally free app for handling digital assets, ended up patched. These involve a heap-based buffer-overflow flaw (CVE-2021-28624), poor input-validation vulnerability (CVE-2021-35991) and two arbitrary code-execution bugs (CVE-2021-35989, CVE-2021-35990).
A heap-based mostly buffer overflow lets for arbitrary code execution by an adversary triggering either a plan crash, infinite loop restart of a program or a variety of denial-of-company attack primarily based on CPU or memory overconsumption. Trend Micro Zero Working day Initiative researcher Tran Van Khang is credited for figuring out the bug.
One particular critical flaw (CVE-2021-28596) was claimed, and patched, in Adobe’s Windows version of its higher-close doc processing software package FrameMaker. This arbitrary code-execution bug is categorized as an out-of-bounds generate vulnerability, this means an adversary could generate an exploit that target’s a methods memory, where the destructive computer software writes facts previous the close, or in advance of the starting, of the intended memory buffer. This can both corrupt knowledge, or crash a targeted procedure or enable a hacker to execute code on the targeted procedure.
Look at out our no cost impending dwell and on-demand webinar gatherings – unique, dynamic conversations with cybersecurity professionals and the Threatpost local community.
Some pieces of this write-up are sourced from: